Introduction

This Privacy Notice has been prepared by Advokatfirmaet Thommessen AS ("Thommessen") to ensure that you receive the information we are required to provide to you and which is necessary for you to exercise your rights under the General Data Protection Regulation (Regulation (EU) 2016/679) and Norwegian data protection legislation (together "Data Protection Legislation").

This Privacy Notice describes how Thommessen processes personal data about you, the purpose of our processing activities and the legal basis for our processing activities. This Privacy Notice also describes your rights in connection with our processing of your personal data under applicable Data Protection Legislation.

Generally about personal information

Personal data means any information relating to an identified or identifiable natural person (a "data subject"). Your name, phone number, address and e-mail address are examples of information which generally is regarded as personal data.

Who we process personal data about

This Privacy Notice addresses our processing of personal data about the following persons:

  • Private clients (i.e. a client who is a physical person);
  • The contact persons of our clients;
  • Persons involved in matters we assist with;
  • Other persons mentioned in the case documents we get access to; and
  • The contact persons of our suppliers and collaborators.

Thommessen's responsibility as a controller

As a "controller" Thommessen is responsible for our processing of your personal data. We also act as a controller when we process personal data in connection with our provision of legal services to our clients. Please note however, that the client is responsible for the processing activities the client conducts independently of us.

As controller, Thommessen is responsible for complying with the Data Protection Legislation when we process your personal data.

We will rarely process personal data as a data processor, and will in these events enter into a data processing agreement (in accordance with GDPR Article 28) with the applicable controller.

What kind of personal data do we collect and process?

Legal services etc.

We collect, generate and process the following personal data when we provide legal services, or in connection with the establishment and administration of our relationship with the client:

  • Contact details: If you are the client's contact person or a private client (a client who is a physical person) we will collect and process your contact details, i.e. your name, email address, postal address, phone number and job title.
  • Billing Information: We store information regarding the assistance we have provided to you (including the timing of our assistance), whether we have issued our invoices to you by email or ordinary email (or through any other systems), whether or not you have paid the relevant invoices, and in the event of a payment default, information regarding our use of a debt collector.
  • Identification control: We are required to undertake a client/identification control if the client relationship or our legal services fall within the scope applicable legislation regarding anti-money laundering. We will in connection with a client/identification control collect documentation and information that confirms the client's identity (such as valid ID), as well as the identity of the owners of the client (if the client is a legal person). We will also collect personal data about the purpose and nature of the client relationship. If you are a private client, we will collect your full name, birth number or D-number and address. If you do not have a birth number or D-number, we will collect information about your date of birth, place of birth, gender and citizenship. If the client is a legal person who is not registered in a public register, we will obtain personal data about the CEO, business manager, proprietor or equivalent contact person. After establishing the client relationship, registered information and obtained documentation will be subject to ongoing updates and verification as long as the client relationship exists.
  • Documents, archives and records: We will obtain, collect and generate documentation when we provide legal services and represent our clients. These documents, archives and records may include personal data regarding a person's affiliation with the relevant case. This personal information may be about private clients, the client's or opposite party's contact persons, employees, and representatives, as well as other third parties who have had an affiliation with the case.

Marketing and events

Thommessen will collect and process the following personal data in connection with our marketing activities, as well as evaluations of services we have performed:

  • Contact information: Full name, e-mail address, mailing address, phone number, job title and employer. If you are a student, we will also process information about your education which you have submitted to us (e.g. university, year of study etc.).
  • Events: Information regarding which of Thommessen's events and seminars you have attended or signed up to. We will also store information about which of your events representatives of Thommessen has attended, including information regarding the persons who were speakers or otherwise arranged the event/seminar. Furthermore, if you receive Thommessen's newsletter, we will store information about if the newsletter has been received and/or downloaded.
  • Surveys. We will process your feedback and comments regarding events Thommessen has organized, as well as other services that Thommessen has carried out.

The Purpose of our processing of personal data

We process the personal data specified above in this Privacy Notice for the purpose of establishing and administrating the client relationship, for the purpose of providing our legal services, for billing purposes and for the purpose of enabling us to store documents and archive. We also process contact information, billing information and undertake client/identification controls for the purpose of complying with Thommessen's statutory duties. We will furthermore process the contact details of our clients and potential clients for the purpose of conduction conflict checks.

We process the personal data specified above in this Privacy Notice in order to send you newsletters, invitations and information regarding our events, and other marketing communication. We also process the personal data specified above in this Privacy Notice in order to perform surveys and evaluations, and to conduct business analyzes of Thommessen's business and execution of legal services.

Further information on newsletters etc.

If you during the past years have received legal services or newsletters from us (for example if you are an existing client or a contact persons representing an existing client) and/or over the past few years have attended an event organized by Thommessen, we will use your contact information to send you newsletters as well as information and invitations to Thommessen's events and seminars. Newsletters and invitations to events and seminars will be sent by e-mail. Each email will include an unsubscribe button which you may follow if you do not wish to receive any further newsletters and invitations from Thommessen. You may also send an email to marked@thommessen.no if you do not wish to receive any further emails with newsletters and invitations to events.

You may also sign up for events and seminars and subscribe to our newsletter on thommessen.no, as well as through Thommessen's Facebook and LinkedIn pages. When you sign up for Thommessen's newsletter etc. through these pages, you will be asked to consent to receive information from us as well as to our processing of your personal data for the purpose of sending you newsletters and invitations to courses and seminars.

What is our legal basis for processing personal data?

If you are a private client (a client who is a physical person), we will process your contact information, billing information and any personal data included in the relevant matter-related documents, archives and records which we collect and/or generate (as described above) because the processing is necessary for the performance of the client engagement.

If you are the client's contact person (e.g. if the client is a legal person), we will process the aforementioned personal data based on Thommessen's legitimate interests as a law firm providing our legal services to the client, and administrating our relationship with the client. We do not consider our legitimate interest to be overridden by the interests of the data subjects affected by the foregoing processing activities. We may also process the personal data of other data subjects than the client or the client's contact persons (as described above) based on our legitimate interests in providing legal services, and to enable the client to establish, exercise or defend legal claims. If we in the course of our performance of legal services process special categories of personal data, then the processing will be carried out because it is necessary for the client's establishment, exercise or defense of legal claims.

We also process billing information and undertake client/identification controls (as described above) in order to fulfill our statutory duties in relation to inter alia anti-money laundering legislation, Norwegian bookkeeping legislation, and to comply with requirements enacted on the basis of the Norwegian Courts of Justice Act. We will not be able to establish a client relationship with you, or provide legal services to you without processing the foregoing information.

We process the personal data described above in this Privacy Notice for purposes related to Thommessen's legitimate interests. These legitimate interest is the promotion of Thommessen's events, courses and seminars, as well as the promotion of Thommessen's services. We also process the personal data described above in this Privacy Notice for the purpose of determining your relationship with Thommessen, to improve our services, and for the purpose of managing our client relationship. We do not consider our legitimate interest to be overridden by the interests of the data subjects affected by the foregoing processing activities.

Does Thommessen transfer or disclose your data to third parties?

We use external service providers to assist with IT services and other administrative support services. These service providers will act as data processors on behalf of Thommessen. We have entered into data processing agreements with our data processors which inter alia obligates the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity, as well as to only process the relevant personal data in accordance Data Protection Legislation.

Contact information and any personal data included in the relevant matter-related documents, archives and records which we collect and/or generate (as further described in Section "Thommessen's responsibility as a controller"), may be disclosed to counterparties, courts and supervisory bodies in connection with our preparation for proceedings, defense of claims, or otherwise in connection with the performance of our legal services. We will however, for the sake of clarity, not disclose your information to any third party, if the disclosure will violate our statutory duty of confidentiality.

We will not disclose your personal data to any other third parties than the third parties described above, unless required to do so under applicable law or as required under a court order.

Data retention

We will delete or anonymize personal data when they are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or as otherwise required under the Data Protection Legislation. We will furthermore delete or anonymize personal data in accordance with the following criteria:

  • Billing information and personal information related to client/identification controls will be stored in the period of time prescribed by statutory requirements, inter alia the Norwegian Bookkeeping Act and anti-money laundering legislation;
  • Personal data included in case related information, documentation, records and archives will normally be stored for ten years. We will as a result normally also store contact information obtained from the client for a ten year period. The foregoing applies to all files, records and documentation kept by us, except for documents that are deposited with us, typically wills and similar type of documents.
  • The personal data described in Section "Thommessen's responsibility as a controller" of the Privacy Notice, which we are processing for marketing purposes will be stored for as long as there exists a client (and/or "customer") relationship between us, or (if applicable) until you withdraw your consent to these processing activities. We consider there to be such a relationship as long as you have received legal service or newsletter from us the last few years, or if you have attended an event organized by Thommessen in recent times. If you attend a student event, we will delete personal data collected in this regard shortly after the event.

Your data protection rights

Under Data Protection Legislation, you have certain rights we need to make you aware of. The rights available to you inter alia depend on our reason for processing your personal data. You have the following rights in connection with our processing of your personal data:

  • Access: You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to- and further information regarding our processing of your personal data. However, please note that your right of access will not apply if we are prohibited to give you such access due to our statutory duty of confidentiality.
  • Rectification: You may request us to rectify and/or complete inaccurate or incomplete personal data.
  • Erasure: You may request that we erase your personal data. We will respect and comply with your request unless we inter alia are prohibited from deleting your personal data under mandatory retention requirements, or the personal data is necessary for the establishment, exercise or defense of legal claims.
  • Restriction of processing: You may also request the restriction of our processing of your personal data in accordance with Data Protection Legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the exercise or defense of legal claims or for the protection of the rights of another person or for reasons of important public interest.
  • Right to object: You are entitled to object to certain processing activities, including for example processing of your personal data for marketing purposes. You are furthermore on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to processing of personal data based on legitimate interests, which we will comply with, unless there exists compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.
  • Data Portability: If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used and machine-readable format.

Please note that our statutory duty of confidentiality may prohibit us from giving you access to your personal data. You may also be prevented from exercising the other rights described above, in the event that the relevant personal data falls within the scope of our statutory duty of confidentiality. You can read more about lawyer's duty of confidentiality on the Norwegian Bar Association's website: www.advokatforeningen.no.

Please contact us at the below listed contact information if you wish to make a request. Please also note that we may request the provision of additional information, if such information is necessary to confirm your identity.

Security

As a controller Thommessen is responsible for the security and confidentiality of the personal data we process. We are furthermore responsible for implementing appropriate technical and organizational measures to ensure an appropriate level of security of processing.

We are for security reasons not entitled to disclose detailed information on the security measures which we have implemented. However, all of our employees are bound by a duty of confidentiality with respect to the personal data which we process. We have furthermore implemented technical and organizational measures, policies and routines to ensure the security of our processing.

The Norwegian Data Protection Authority and other supervisory authorities

The Norwegian Data Protection Authority has inter alia been established to supervise the Norwegian companies' processing of personal data. You may contact us at any time if you have any information or complaints regarding our processing of your personal data. You may also file a complaint with the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement. You can obtain the contact details of the Norwegian Data Protection Authority on their website. You may also find more information on your rights and the Data Protection Legislation on this website.

Changes

We may, from time to time, revise this Privacy Notice for example due to changes in our processing activities, applicable Data Protection Legislation or other legislation which may affect our processing of personal data. An updated version of this Privacy Notice will be published on our website if any revisions to the Privacy Notice is made. We will furthermore notify you by email if we make any material changes to this Privacy Notice.

Contact information

If you have any questions about this Privacy Notice, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:

Advokatfirmaet Thommessen AS
Postboks 1484 Vika, Oslo, Norge
E-mail: privacy@thommessen.no
Telephone: +47 23 11 11 11